Tell HN: Ffmpeg vulnerability allows attacker to get files from server or PC

69 points

10 years ago

ffmpeg vulnerability allows reading local files and sending them over network using a specially crafted video file. This affects not only file conversion (including thumbnail generation), but also any other operations that involve ffmpeg processing your file — for example, ffprobe is affected.

This is not remote code execution, the vulnerability is limited to reading local files and sending them over network, but that is already bad enough.

For example, a specially crafted «video» file uploaded to your server by an attacker could read your website config/private keys/etc and send that to the attacker once you try to generate a thumbnail for it or just probe it with ffmpeg.

On a PC, you don't even need to open a file to get affected, just downloading it would be enough in some cases — video files are processed with ffmpeg for filemanager thumbnails (i.e. KDE Dolphin), for search indexers, etc.

That vulnerability is public, has code samples to reproduce and build a malicious file, and is not fixed atm.

The recommended quick fix is to rebuild ffmpeg without network support (--disable-network configure flag).

Original post: http://habrahabr.ru/company/mailru/blog/274855/

The original text is in Russian, use https://translate.yandex.com or https://translate.google.com/ to read it.

24 comments